Backing up business critical systems is a key part of any organization’s disaster recovery plan. Backups provide necessary protection against data loss in day to day and long term IT operations. Included in the planning for disaster recovery, organizations want to think about site resiliency and the ability to failover to a different location in the event that a site goes down due to a natural disaster, or potentially a malware/ransomware attack. There are certainly backup and disaster recovery best practices that organizations need to think about when designing and engineering a backup strategy that accounts for business continuity, efficiency, resiliency, security, and reliability. In this post, we will discuss five areas as they relate to accomplishing these goals:
- Changed Block Tracking
- Multiple Backup Copies
- Application Aware backups
- Encrypted Backups
- Testing Backups with Restores
Changed Block Tracking
Today, virtualized workloads dominate the enterprise datacenter. Fewer and fewer physical server workloads are being provisioned. Virtualized Microsoft Windows Server resources offer tremendous advantages in terms of Windows Server backups as opposed to physical server backup. When thinking about backups of virtual machines running on either VMware or Hyper-V platforms, modern backup solutions today make use of Changed Block Tracking or CBT (VMware) and Resilient Change Tracking (Hyper-V). Why do we want to make sure backups of virtual machines utilize these technologies?
When we perform a full backup, we have a complete representation of that virtual machine block by block. Changed Block Tracking allows allow subsequent backups to be incremental backups so that we only copy changes that have been made. It does this by creating a mapping of all the blocks of data used by a virtual machine. On the next backup, the changed tracking information knows which blocks have changed since the last backup. The changed blocks contain the only data that is copied over in the next backup. VMware has had CBT implemented since ESX4/ESXi4. However, in the Hyper-V world, this is a relatively new development. In Windows Server 2016, Microsoft introduced its implementation of changed block tracking called Resilient Change Tracking to keep track of these changed blocks in Hyper-V.
In either platform, using the Changed Block Tracking technology can reap huge dividends in terms of space used and backup time taken for each backup cycle. It is definitely best practice to utilize these technologies for more efficient backups of virtual environments.
Multiple Backup Copies
When thinking about the critical nature of backups and their importance, we always want to have multiple copies of our backups at different locations. This helps to diversify and mitigate risk of losing backed up data. If an entire production site is destroyed by a natural disaster and all the critical backups were housed at that same site, recovering data may be impossible. However, if we spreading copies of our backup data to other sites, we would still be able to recover if an entire site was lost.
Another risk concerning backup data is the possibility of ransomware infections. If a site is infected with ransomware and a user such as an administrator who has access to the backup location is compromised, backup data may be encrypted along with production systems. If copies of those backups exist in different sites, it is much less likely the additional sites would be affected by the same ransomware encryption due to different subnets, and often different security.
It is imperative that organizations today consider the risks above when thinking about their Windows Server Backups and having multiple copies of backup data in different sites.
Application Aware Backups
Application aware backups work in harmony with Windows Volume Shadow Copy (VSS) and VSS writers which are special hooks into VSS used by specific applications. Such applications as Microsoft Exchange Server and Microsoft SQL Server have VSS writers that can be utilized by today’s backup solutions. What do application aware backups do?
By using the VSS writers for specific applications, the backup solution is able to properly flush any pending writes or database operations from memory to disk so the backup of the application is in a consistent state. This means we don’t have to do any special log replays or additional processes to bring the application to a consistent state in addition to restoring the backup.
We always want to use “application aware” backups in connection with any backups of Windows Server that house database driven applications in particular. The transactional nature of databases make it necessary to keep the database in a consistent state with each backup cycle.
Encrypted Backups
We may not readily think about backup data as subject for data breach. However, when we think about what backups actually contain, the data is the same as production. We need to treat the data contained in backups just as securely as we would the actual data that exists on the production system.
As a best practice, we should encrypt backups. Encryption uses a key to encode data so that it is unreadable without the key that was used to encode it. This means that even if someone were to gain possession of the actual backup files themselves, they would be unable to read the data that is contained in them.
With the security concerns of today’s world and data breaches making headlines, organizations must treat all data as secure, even backups.
Testing Backups with Restores
One of the biggest mistakes that administrators make with backup solutions is not having a testing routine for testing those backups with restores. In a true disaster recovery situation, as an administrator, you don’t want to have any surprises when it comes to the integrity of your backups. If there are issues with backups, you want to make sure those are found before the DR scenario comes into play. Test restores of backups periodically to ensure they are not corrupted and they are current.
Many backup solutions offer automated ways to mount restore points, boot the VM, and send some type of verification back to the administrator verify the virtual machine booted correctly. This makes verifying backups much easier as the backup solution is doing most of the heavy lifting.
Even if there is no automated mechanism within the backup solution product to automate this verification, it is imperative to test restoring backup data at least periodically. Staging DR tests and following a play book detailing what needs to happen in a disaster recovery scenario can also be very beneficial.
Thoughts
By following backup and Disaster Recovery best practices, organizations ensure the highest probability of protecting business critical systems. We have discussed five ways that affect the business continuity, efficiency, resiliency, security, and reliability of backups and disaster recovery. Each of these areas plays a key role in ensuring organizations meet RTO and RPO’s in line with their business needs.
Got questions? Email us at: vembu-support@vembu.com for answers.
Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.